System and method for dynamically allocating resources

ABSTRACT

A computer network has a number of resources. One or more trusted localisation provider certifies the location of the resources. Encrypted data is closely associated with a policy package defining privacy policies for the data and metapolicies for their selection. A trusted privacy service enforces the privacy policies. The trusted privacy service is arranged to supply a key to a resource to allow that resource to process data if the trusted privacy service determines from the trusted localisation provider certifying the location and other contextual information of the resource that the privacy policy allows processing of the data on that resource in that location.

CROSS REFERENCE TO RELATED APPLICATIONS

This is a divisional of U.S. application Ser. No. 11/335,877, filed Jan.20, 2006, which claims priority from United Kingdom Appl. No. 0501392.5,filed Jan. 22, 2005, both hereby incorporated by reference.

TECHNICAL FIELD

The invention relates to dynamically allocating resources with privacyenforcement, and to methods, apparatus, networked systems and computersoftware for carrying out this task.

BACKGROUND ART

In modem networked computer systems, computing resources may beallocated dynamically based on business needs. The physical location ofthe resources can vary widely, and data is not necessarily stored onlocal data storage.

In such networked computer systems confidential computer information canbe transferred widely. However, it is important to ensure thatconfidential information can only be accessed by suitable users, whichmay be determined geographically, by business function, or in many otherways.

Thus, some form of privacy management may be required.

However, as networked computer systems are increasingly based on dynamicprocessing assumptions privacy management based on static assumptionswill no longer be adequate.

For example, EP 1220 510 describes context aware computing. Devices andmethods are provided that are context aware, in an example locationaware, so that policies are evaluated as a function of context. EP 1 220510 is particularly concerned with a way of encoding locations in auniform way.

US 2003/0163431 describes a secure computing system for enforcing asecure handling and control chain.

Resource protection in distributed system is addressed in U.S. Pat. No.6,658,573. The system uses name resolution reducing direct access to aresource and controls the name resolution process for indirect access toa resource. An interception manager can prevent the resolution of somesymbolic names in appropriate cases.

However, this approach only addresses the question of accessingresources not selecting resources to carry out tasks on a system withdistributed processing and storage capacity and validating that thoseresources are authorised to carry out that processing.

SUMMARY OF INVENTION

In a first aspect, the invention relates to a method of dynamicallyallocating computing resources for a transaction related to data,comprising the steps of:

(a) receiving a request requiring a computing resource to process datato be processed;(b) selecting, based on the data to be processed and contextualinformation a set of rules associated with the data to be processed;(c) selecting a selected resource or resources to process the data andtransmitting the data, in a protected or encrypted format, to theselected resource or resources;(d) sending a message from the selected resource to a trusted privacyservice requesting a key to decrypt the data to allow the data to bedecrypted so that it can be processed on the selected resource;(e) determining in the trusted privacy service whether the selectedresource complies with the selected rules and if so sending a key fromthe trusted privacy service to the resource to allow the resource todecrypt the data and process the data.

In a second aspect, the invention relates to a computer systemincluding:

a plurality of resources;a network linking the resources;at least one trusted localisation provider arranged to certify thelocation of the resource or resources;a policy package associated with data defining different privacypolicies for the data and metadata to select the relevant set of privacypolicies;at least one trusted privacy service arranged to enforce the privacypolicies a store storing confidential data in an encrypted fashion,wherein the encrypted data can only be decrypted using one or more keys;andallocating resources to process the data;wherein the trusted privacy service is arranged to supply one or morekeys to a resource to allow that resource to process data if the trustedprivacy service determines from the trusted localisation provider andthe resource that the privacy policy allows processing of the data onthat resource in that location.

The invention also relates to the various components of the computersystem and methods of operating them, as well as computer programproducts arranged to carry out the method.

BRIEF DESCRIPTION OF DRAWINGS

For a better understanding of the invention, embodiments will now bedescribed, purely by way of example, with reference to the accompanyingdrawings, in which:

FIG. 1 is a schematic diagram of a first embodiment of the invention;

FIG. 2 is a schematic diagram of a second embodiment of the invention;

FIG. 3 is a schematic diagram of a detail of the second embodiment;

FIG. 4 is a schematic diagram of a further detail of the secondembodiment;

FIG. 5 is a schematic diagram of a yet further detail of the secondembodiment; and

FIG. 6 is a schematic diagram of a third embodiment.

DETAILED DESCRIPTION

Referring to FIG. 1, a first example will be presented. This example isof a distributed computer system in two countries handling personal datasubject to different privacy policies and legislation.

The first example is simple for ease of explanation and does notrepresent the full power of the approach described in the presentspecification.

The system includes storage resources 10, processing resources 12 and anetwork 14 linking the resources. These resources are located in twocountries, country A, and country B. Some of the processing resourcesare secure processing resources having a secure processing module 16within them. A number of user terminals 18 are also provided, which arealso resources.

For simplicity, it will be assumed that the data stored is the salary,job description, work telephone number and email address of employees.

Depending on the country of employment, different privacy policies willbe imposed by national law. Privacy laws and guidelines change accordingto location, geographical boundaries, contextual aspects, localcustoms/culture, etc. It is important to assess which “policy” appliesat the point of data processing/transfer/disclosure.

For example, it may be assumed that country B has a national lawpreventing work telephone numbers being publicly available. Country Ahas no such law. Thus, depending on the country of employment of anemployee, the work telephone number may be confidential information ornot.

A policy package 20 describes the privacy policies of the data in acontext aware manner. In this embodiment, a single policy package 20 isprovided represented by a matrix listing the data field against thecountry of employment, and having an entry describing theconfidentiality policy for the relevant data. For example, in theembodiment described, the policy package 20 may be described bymetapolicies and a matrix as follows:

Meta-policies: IF Processing_location = “Country A” THEN Apply_Policy1ELSE Apply_Policy2 ELSE Deny_Access Information Policy 1 Policy 2 SalaryStrictly Confidential Strictly Confidential Work Telephone NotConfidential Confidential Email Not Confidential Not Confidential JobDescription Not Confidential Not Confidential

The policy package 20 also includes a set of rules defining the privacypolicies implied by the three confidentiality levels “Confidential”,“Strictly Confidential” and “Not Confidential”. In the example,metarules define how to select privacy policies based on locationcriteria.

In general, policies are much more complex than this. They may includelogical constraints and conditions on time, location, identity/roles,credentials, properties. IT is a particular benefit of this and otherembodiments that a wide variety of different policies can beimplemented.

Note that the policy package 20 is closely associated with the data 24represented by the policy package. Conveniently, this may be achieved bystoring the policy package and the data 24 as a single file.

Preferably, the processing environment generally ensures that the policypackage and data cannot be separated and maintains the integrity of thedata item, i.e. the policy package and data.

These rules may be set out as an XML file. The package may be digitallysigned. The package is stored in a secure environment, which may bedetermined by the system itself by allocating a very high security levelto the policy package 20 so that it can only be processed by the trustedprivacy server 26 (see below).

Data that is confidential, e.g. has a confidential level of“Confidential” or “Strictly Confidential”, is stored in an encryptedformat. The XML file may specify different encryption policies dependingon the confidentiality level. For example, the minimum key length for“Confidential” may be less than for “Strictly Confidential” information.Further, suppose that in the example salary data may only be processedin the country of the employee. Much more complex policies might apply.

Each resource 10,12 that may be used for processing confidential datahas a trusted localisation provider 22. This provides certified locationof the resource, with different degrees of assurance (for example viasigned certificates) stating the location of the resource. In thissimple embodiment, the certificate is simply stored in a secure mannerin the trusted localisation provider.

A trusted privacy server 26 is provided to check and enforce privacypolicies based on the “policy package”.

The requirements that need to be satisfied in order to access andprocess confidential data are determined by the policy package 20, asinterpreted by the trusted privacy service 26. The trusted privacyservice 26 can discriminate which resources can and cannot processassociated confidential data. Further, the trusted privacy service 26determines which privacy policies apply.

This is achieved by ensuring that confidential data is only transferredbetween resources in encrypted form. The only way that a resource canprocess the data is to decrypt the data using one or more decryptionkeys. The trusted privacy service 26 only provides the decryption keyfor specific data items to resources that are allowed to process thosespecific data items, based on the privacy policy. To process data, theresource 22 sends a message to the trusted privacy service 26 requestinga key. The trusted privacy service determines if the resource meets theappropriate privacy policy and only provides the key to the resource ifit does. One or more trusted privacy services could be used.

For example, the privacy policy may be such as to require salary dataonly to be processed by resources in the country in question. Thus, inthis case, the trusted privacy server will only issue the decryption keyfor specific items of salary data to resources for which the trustedlocalisation provider 22 located within the resource confirms that theresource is in the correct country, in accordance with the rules of theprivacy policy.

Note that the data in the present case may include items of differentsensitivity. These may be coded with a number of different keys. Thetrusted privacy service provides one or more keys as requested to aresource, if that resource may process the corresponding data accordingto the privacy policy.

The privacy policy may further require that the resource is a trustedresource that is able to securely process confidential data, and mayfurther require that the resource only processes data in certain ways.For example, the privacy policy may require that salary data not bepublished and so only resources that provide suitable guarantees to thetrusted privacy service regarding the security of the resource and theprocess to be carried out on the data will be provided with thedecryption code for that data.

It is an important feature of this embodiment that the resources may bedynamically allocated so that processing and storage can be carried outwhere capacity is available.

In this example, resource allocation service 28 allocates resources toprocess persona/confidential data. When a resource is required, theresource allocation service identifies a potentially suitable resourceand obtains from the trusted localisation provider the locality of theresource. Further information regarding the resource is obtained. Thisinformation is used to determine whether the resource is permitted tocarry out the operation required. If so, the resource allocation service28 allocates the resource and the resource interacts directly with thetrusted privacy service to obtain access to the data, if required.

It will be noted that some operations, for example storage, do notrequire decryption. Nevertheless, the resource allocation server 28still only selects resources meeting the requirements of the privacypolicy, for example to store confidential data only on approved storageresources. In these cases however there is no need to decrypt the dataat all so this is not done.

If the resource allocation server 28 determines from the trusted privacyserver 26 that a resource is not suitable, the resource allocationserver 28 tries to allocate a different resource until one is found thatis suitable. If no suitable resource is found, an error message isgenerated.

In this way, resources are dynamically allocated on the basis of privacyand other requirements and contextual information. The privacy policiescan be readily changed and updated by changing the policy package 20.Thus, the embodiment allows the ready enforcement of a variety ofdifferent requirements in a consistent and accountable way. The use ofthe trusted localisation provider 22 ensures that not merely thesecurity requirements of a confidential server but also the correctprocessing location is used when required.

For example, if a user computer 18 attempts to access data, the usercomputer will only be allowed access to confidential data if the usercomputer has a suitable location, as determined by the trustedlocalisation provider, as well as a suitably secure processing facility.

Note that a benefit of the embodiment is that in the event of new rulesregarding confidentiality related to certain pieces of data it is onlynecessary to change the privacy polices associated with that data.

Moreover, the system can readily cope with a very large number ofdifferent policy packages and policies since the policy package isassociated with the data.

It should be noted that the trusted privacy module has a very differentfunction to the privacy manager of EP 1220510, even if the name issimilar. In EP 1220510, the privacy manager censors the locationinformation transmitted by a mobile device, i.e. it ensures privacy ofthe location information. In contrast, in the embodiments, the trustedprivacy module ensures privacy of the data by only releasing a key whenthe location of a resource is correct.

A further difference from EP 1220510 is that in EP 1220510 apredetermined set of policies are provided relating to the device. Inthe embodiments, different data may have entirely different policies. Inaddition the same data might be subject to different policies dependingon the context. Thus, the flexibility of the approach described here isgreater.

The entire process may be audited.

A second example will now be described with reference to FIGS. 2 to 5.

In this embodiment, a trusted platform approach is used. Referring toFIG. 2, a number of servers 30 are provided in first locality 32 and ina second locality 34. A resource allocation service 36 and aregistration entity 38 are provided in each locality.

A policy package 40 is strongly associated with confidential data 42which may however be stored and executed on any of the servers 30. ATrusted Privacy Service (TPS) 44 is provided to police the privacyrules. Resources need to interact with the TPS 44 to process theconfidential data, and to this end the resources have a TPS InteractionModule 46 for carrying out this interaction. The resources furtherinclude a trusted localisation provider (TLP) for providing localisationinformation about the resource.

FIG. 3 shows a policy package 40. Note that in this embodiment thepolicy package is closely associated with the confidential data 42 andsets out the rules for processing that data. The system may includeother data with other policy packages, and indeed it is a benefit ofthis embodiment that it is easy to apply very different policies todifferent data, and in the event that new data requires new policies,these can be determined when the new data is created and simply attachedto the data.

The policy package 40 contains meta policies 50 together with specificpolicies 52 and optional signature 54. The policy package 40 is inessence a data document that stores the policies. The policies are setsof logical rules that may be expressed in any convenient way, as will beknown to those skilled in the art. For example, the policies may beexpressed as digitally signed XML data.

Suitable standards for recording such rules include the ExtensibleAccess Control Markup language (XACML). Alternatively, the EnterprisePrivacy Authorization language (EPAL) might be used.

The meta-policies 50 are policies that specify the selection of aparticular one of the policies for data depending on selection criteria.Thus, one policy may be selected if data is processed in one locality,and a different policy if data is processed in another locality.

The privacy policies 52 themselves are rules that determine how data isto be processed. For example, if the data is being processed outside thelocality in which the data was created, certain activities may beprohibited, for example printing the data or outputting it in any way.For more secure types of data, the rule may specify that the data canonly be processed on a trusted platform.

The association of data and policy package can be assured usingcryptographic techniques, for example by encrypting the data. Theintegrity of policies and metapolicies can be enforced by a number oftechniques, including in particular signatures and envelopingtechniques.

The functions of the registration entity 38 and resource allocationservice 36 will now be described.

The registration entity 38 includes a list of available resources, whichmay be all or some of the resources. In the example of FIG. 2, aseparate registration entity 38 is provided in each of the first andsecond localities 32, 34 to allocate resources in that locality. Theregistration entity 38 also contains details of other registrationentities that may be able to allocate resources.

The registration entity 38 obtains localisation information from theservers using the trusted localisation provider (TLP) 48 installed oneach of the resources 30.

In some cases, the resources will not have TLPs installed, and in othersonly some of the resources will have TLPs installed. In these cases theregistration entity can manage in a centralised manner the localisationinformation, and may for example act as the TLP for these resources.

When resources are required, for example to carry out a processing taskon data, the resource allocation service identifies resources based onthe policy package 40 associated with the data 42 and the information inthe registration entity 38 about its resources. In the event thatresources under the control of other registration entities 38 andresource allocation services 36 are required, the data regarding thesetoo is obtained from the registration entity 38.

Note that in the example there is one registration entry 38 for eachresource allocation service 36 though this is not required, so long asthere is at least one resource allocation service in the network.

In alternate embodiments the registration entity 38 is dispensed withand allocation is made “on the fly”. When the resource allocationservice needs to process a resource, potential resources 30 areidentified by the resource allocation service and the resource 30 itselfchecks whether it can carry out the required processing, using the TLPwithin the resource and the policy package 40 associated with the data.

The interaction of the Trusted Privacy Service 44 with the resource 30will now be discussed with reference to FIG. 4.

The resource 30 includes a TLP 48 and a TPS Interaction module 46. TheTPS Interaction Module 46 includes a communications module 60 forcommunicating with the TPS 44, a disclosure monitoring and controlmodule 62, a policy engine 64 and a cryptographic module 66 fordecrypting data.

The TPS includes a communications module 70 for communicating withresources 30 and a cryptographic module 72 for decrypting data whenrequired. A Tracing/Auditing module 74 records the operation of the TPS44. A disclosure monitoring and control module 76 controls disclosure ofdata, and a policy engine 78 enforces policies.

A context manager 82 is provided to gather contextual information fromthe resource 30 and process the relevant set of privacy policies.

The TPS includes secure tamper resistant storage 84.

To explain the functions of these modules, the processing of data by theresource will now be described.

In order for a resource 30 to process data it needs to decrypt it. Theresource 30 sends the policy package 40 associated with the encrypteddata 42 to the TPS 44. The context manager 82 then gathers contextualinformation from the TLP of the resource 30 that identifies the locationof the resource. The context manager 82 may also gather data for examplefrom the policy engine 64 of the resource or elsewhere to check whichpolicy package are to be implemented. The exchange between the contextmanager 82 and the resource 30 is logged by the Tracing Auditing module74.

In the event that the resource 30 satisfies the privacy policies of thepolicy package 40, the trusted privacy service 44 uses the cryptographicmodule 72 to generate the keys needed to access the confidential data 42and sends them to the resource 30 to allow the resource to decrypt andprocess the data.

FIG. 5 shows a trusted server 30 with a trusted localisation platform(TLP) 48. The TLP 48 is implemented as software having a trustedlocalisation software which certifies or provides localisationinformation through an Application Program Interface (API) 80. The TLP48 includes a credential verifier 82 and a credential issuer andmodifier 84. The TLP 48 gets localisation information 86 which may bethe machine access control (MAC) or IP address of the platform togetherwith various credentials 88. The localisation information is supplied tothe TPS 44.

In some embodiments, this will be sufficient but in the embodimentdescribed a trusted privacy module (TPM) 90 is provided to improve thetrust. In the embodiment now being described, this is a hardware modulefor security, though this may not be essential in all applications.

The trusted privacy module 90 certifies the localisation information andthereby improves the credence of that information.

The information about the location of the resource may be obtained inone of a number of ways. The information may be obtained from networkinformation relating to the location of the resource with a network. Thelocation information is not necessarily purely geographic. For example,the localisation information may determine whether the computingresource is attached directly to a company network by a secure fixedlink, or alternatively attached to the network by a less secure route,for example by a WiFi port or through the interne.

Other known ways of establishing location, for example the globalpositioning system, may also be used if pure geographic information isrequired.

In many arrangements, a variety of these approaches will be adopted.

FIG. 6 shows an alternative approach to the trusted localisationplatform which may be adopted in a third embodiment. In this approach,as shown in FIG. 6, the TLP is provided in the registration entity.

In this case, the software TLP 48 has an API 92 and a request handler94. A localisation checker/issuer 96 associates localisation informationwith resources 30. Information regarding these resources 30 is takenfrom the resource and stored in the database 98. It is supplied fromthere directly to the TPS 44.

This has a significant benefit, in that the information is centralised.Further, the registration entity 38 may be run on a trusted platformwhich can enhance the reliability and verifiability of the localisationinformation.

Note that in alternative arrangements, some TLPs may be TLPs in theresources 30 as in the second embodiment as shown in FIG. 5 and othersTLPs may be provided in the registration entities 38 as in FIG. 6.

The various components of software used to implement the various partsof the invention may be stored in any convenient data carrier, such as ahard disk, etc. For security, the data carrier may be a ROM or otherdata carrier that cannot easily be altered.

In these approaches, the servers 30, registration entity 38, resourceallocation 36, and trusted privacy service 44 may all be run on atrusted platform (TP).

The operation of a TLP on a trusted platform will now be described. Notethat this approach may be applied wherever the TLP is located, includingthe cases that the TLP is on the resource 30 as in FIG. 5 or on theregistration entity 38 as in FIG. 6. The specific case where a TrustedPlatform Module 90 is used is analysed. Other approaches to enhance theoperation of TLP using trusted hardware could be used withoutnecessarily requiring the usage of Trusted Platform Module 90.

In the specific case where a Trusted Platform Module 90 is used, thesoftware (running on the resource) could operate in conjunction with theTPM 90 as follows. Whenever new localisation information is to becreated on the resource, the TLP instructs the TPM to create a newpublic key pair based on random sources comprising a new public key anda new private key. For security, the private key is never revealedoutside the TPM, and the TLP will request the TPM to form any operationsinvolving it.

This private key, that is uniquely associated to and only accessible bythe TPM, can be used to sign and certify attributes related to theresource and the trusted platform. This allows the TLP to ask the TPM tosign using this key. This uses functionalities specified by TrustedComputing Group (TCG) such as non-migratable keys to give a strongbinding between the localisation information and the platform and toprotect these keys by the TPM.

As defined by TCG third parties could publish integrity metrics of(parts of) the TLP mechanism so that its correct operation could bechecked as part of the (resource) boot integrity checking process, or inresponse to a challenge. The TPM could sign some of the generatedinformation if appropriate; if desired, information about the softwarestate of the platform could be included together with this signed data.

An association is created between the identity of the trusted platformin the registration entity and localisation information. Thisinformation may be queried by third parties.

To provide further assurance (for example, in case where information hasto flow across multiple domains) an attribute certificate could becreated in the registration entity 38 certifying that a resource holdingthe certificate has certain attributes, possibly including its locality.The certificate includes the new public key.

The information from the TLP 48 that is to be sent is signed by sendingthe information to the TPM 90 for signature. This signature certifiesthe localisation information sent.

By using such a certificate the localisation is bound to the platformand the certificate acts as evidence that a trusted privacy modulesigned the localisation information thereby guaranteeing thelocalisation information.

More details follow about the trusted privacy module.

The trusted privacy module has a data storage key for storing data. Onlythe trusted privacy module knows the key ensuring that other componentscannot access the data. This key may be migratory, i.e. usable on allplatforms, or non-migratory, i.e. only usable on the platform of thatparticular trusted privacy module.

This data storage key may be used to protect a signature key in thetrusted privacy module so that only the trusted privacy module canaccess the signature key to use it to sign data.

The trusted privacy module approach may also be used to ensure that thesigned localisation data is not disclosed in an environment not believedto be safe.

In the present case, the signature key used by the trusted privacymodule to sign data is non-migratory, so that the recipient of acertificate signed by the signature key is assured that the signing keywas used on the correct trusted privacy module.

In alternative arrangements using a migratory signature key then theuser of the signature key must be relied upon to ensure that it is notused outside a trusted privacy module.

The embodiments described above can ensure, with suitable privacypolicies, that confidential data is processed only on resources thatsatisfy privacy policies relevant to the data.

Note that in preferred embodiments the various “trusted” services usetrusted platforms implemented in hardware and software. However, theinvention is applicable to software based systems also where suchsystems can provide sufficient security. In this context the word“trusted” when referring to a service means that the entity accessingthat service has confidence that the service will behave in the expectedmanner for the intended purpose. Judgements can be made based onevidence on a combination of social trust and integrity informationabout the state of the platform.

1. A method of processing data at a resource, comprising: receiving, bythe resource from a resource allocation service, the data and anassociated policy package setting a privacy policy associated with thedata; sending, from the resource to a trusted privacy service, a messagerequesting a key to decrypt the data to allow the data to be processedat the resource; sending, from the resource to the trusted privacyservice, the policy package; and receiving, by the resource from thetrusted privacy service, the key to allow the resource to decrypt thedata and process the data, responsive to the trusted privacy servicedetermining from the policy package that the resource is permitted toprocess the data.
 2. The method of claim 1, further comprising:obtaining, by the resource from a trusted localization provider,localization information regarding the resource.
 3. The method of claim2, wherein the localization information identifies a location of theresource.
 4. The method of claim 2, wherein the localization informationidentifies a geographic location of the resource.
 5. The method of claim2, wherein the localization information comprises an address of theresource.
 6. The method of claim 2, further comprising: sending, by theresource to the trusted privacy service, the localization information.7. The method of claim 6, wherein the trusted localization provider anda trusted privacy module are located within the resource, the methodfurther comprising: digitally signing, by the trusted privacy module,the localization information so that the trusted privacy service is ableto check that the localization information is trusted.
 8. The method ofclaim 7, further comprising: sending further information from theresource to the trusted localization provider relating to privacypolicies in force in the resource, to allow the trusted localizationprovider to verify that the resource has suitable privacy policies toprocess the data.
 9. The method of claim 1, wherein the policy packageis included in the message.
 10. The method of claim 1, wherein thepolicy package includes rules that determine how the data is to beprocessed.
 11. A resource comprising: a non-transitory storage mediumstoring instructions; and a processor to execute the instructions to:receive, from a resource allocation service, data and an associatedpolicy package setting a privacy policy associated with the data; send amessage to a trusted privacy service requesting a key; send, to thetrusted privacy service, the policy package; receive, from the trustedprivacy service, the key responsive to the trusted privacy servicedetermining from the policy package that the resource is permitted toprocess the data; decrypt, using the key, the data and process thedecrypted data at the resource.
 12. The resource of claim 11, whereinthe processor is to execute the instructions to further: obtain, from atrusted localization provider, information regarding a location of theresource.
 13. The resource of claim 12, wherein the processor is toexecute the instructions to further send the information regarding thelocation of the resource to the trusted service provider.
 14. Theresource of claim 12, further comprising the trusted localizationprovider.
 15. The resource of claim 11, wherein the policy package isincluded in the message.
 16. A non-transitory storage medium storinginstructions that upon execution cause a resource to: receive, from aresource allocation service, data and an associated policy packagesetting a privacy policy associated with the data; send a message to atrusted privacy service requesting a key to decrypt the data; send, tothe trusted privacy service, the policy package; receive, from thetrusted privacy service, the key responsive to the trusted privacyservice determining from the policy package that the resource ispermitted to process the data; and decrypt, using the key, the data andprocess the decrypted data at the resource.
 17. The non-transitorystorage medium of claim 16, wherein the instructions upon executioncause the resource to: obtain, from a trusted localization provider,information regarding a location of the resource.
 18. The non-transitorystorage medium of claim 17, wherein the instructions upon executioncause the resource to send the information regarding the location of theresource to the trusted service provider.
 19. The non-transitory storagemedium of claim 18, wherein the information regarding the location ofthe resource comprises information regarding a geographical location ofthe resource.
 20. The non-transitory storage medium of claim 16, whereinthe policy package is included in the message.